(a) using known passwords that are used elsewhere, (b) dictionary attack derived from the PC of the user,(c) tools such as Passware for brute-force and hybrid attacks (d) rainbow tables are available for Windows, not sure for Excel;

In early versions of Office the password was actually retrievable directly from the file if you knew where to look in a hex dump of the file, see more here;

Ask the client up front what they would like to do with password protected files.

Thursday, August 6, 2009

A lot of important and useful information is posted to litsupport each week. The following is a distilled summary, in the form of questions and answers.

Q. How to select deduplication options for emails, such as for Outlook (PST) files? For those vendors who do not document it completely (using Clearwell as an example), what can be guessed?

A.

Assume that they all (Trident Wave, Law, etc.) dedupe basically the same using MD5 or SHA-1 hash value http://www.secure-hash-algorithm-md5-sha-1.co.uk/ . Assume that Clearwell probably does the same thing. Basically the program looks at a number of fields, FROM, TO CC, SUBJECT and calculates a hash value (like a fingerprint) for the electronic message. Then it runs a comparison of the Hash value so that it can eliminate the duplicates;

The problem is getting an exact list of which fields are used can be difficult. Some systems just list them in a selection page and leave it up to you which you want to use. Some problems to watch are: (a) identical header/subject/body content, but different contents of the attachments, (b) use of Microsoft MSGID which can have collisions in as few as as 10,000 email, the reverse issue - systems which are so picky that they only effectively dedupe on entire PST/MSGs, using the path and other delivery/usage MAPI fields so that you still end up with 20+ copies of the lunch notice from all of your custodians. Clearwell seems to be using a good hash of fields. Advice: always run a couple tests on your sample sets;

The specific fields used for Law are located in the help file under the dedupe section;

Clearwell has a 4-page document that outlines how de-duplication works in their product. A number of fields are used from the email data, these fields are different from those used by LAW or Trident. For loose file de-duplication Clearwell uses some meta fields and the hash of the content which is a different approach to just hashing the content. It can identify files that have the same content but have different filenames and meta fields. The feature is called File Analysis;

Clearwell does deduplication differently in version 4.5 then in 4.0, due to foreign language changes;

It would be nice to have a standard for deduplication of electronic evidence. However, it would be complicated: there is a legal standard for identifying 'identical evidence' or duplicates, by which a deduplication strategy can be crafted. It is called the 'rules of evidence' in whatever jurisdiction one finds their case. The definition varies by the evidence and nature of the case. Today, this necessitates various options in the processing software and the understanding of them;

Can anyone identify a court that explicitly defines, dictates or publishes guidelines for ESI duplicate detection and handling? - Take a look at a well crafted Case Management Order where deduplication was discussed between educated lawyers in the Meet & Confer. The factual underpinnings of the case will define duplicates, and the regimine to be used to de-duplicate or re-populate. Which is why a "universal standard" is utopian.

This summary from the Litsupport Group postings created by the wonderful and talented members of the group has been culled by Mark Kerzner and edited by Aline Bernstein.

Tuesday, August 4, 2009

A lot of important and useful information is posted to litsupport each week. The following is a distilled summary, in the form of questions and answers.

Q. Retention policy regarding cases that "close," for example on a product such as TrialDirector?

A.

One should never just delete the case from all drives when the trial is finished, unless specifically required to do so by a Non-Disclosure Agreement or Court Order. Requests to restore a (TrialDirector) case may come up even years after it was finished. Reasons may include appeals, presentations by attorneys who tried the case, and related matters. Thus general retention policy for larger cases can be "forever," stored on external hard drives. Each drive can hold several cases, and they don't take up very much room. Smaller cases which could be easily re-created can be backed up and stored on CD's or DVD's and included in the case files;

Alternatively, based on longer life expectancy for tapes, one can rule out every other media and back everything up to tape, preserving them for a common term of 10 years;

A reasonably large case can fit on a 16 Gig flash drive which costs $40.

This summary from the Litsupport Group postings created by the wonderful and talented members of the group has been culled by Mark Kerzner and edited by Aline Bernstein.

Sunday, August 2, 2009

To offer my private analysis, from the point of Jewish law we are dealing with the case of "asmachta lo kanya," (hint does not acquire), meaning that when people begin to download music with say Kazaa, they don't wholeheartedly agree to possible penalties. Even though technically they click on "I agree," but in their minds they don't really mean it. Then collecting on such promises constitutes taking money illegally.

American law is not Jewish law, and it is more similar to the laws of the people of Sodom, who would band together to steal, each in the amount less than actionable in court. Although what they did was not nice, each one could not be sued.

However, American law is not the law of Sodom either, and technically people can be liable for downloading music. What remains in question is this. According to RIAA, this is the law and it should be enforced. The other side claims that RIAA, its clients, and their lobbying groups influenced the law to be written the way it is. Then the argument is precisely the fairness of the law and if it should be changed to fit the new times.